How do I crack substr hash?
#11
Congratulations, your IQ is -1, sir.
#12
here's my stab at creating a program to crack this type of hash. not exceptionally good since it doesn't use sse2 or anything, but it is multithreaded and should be quite a bit faster than the other two that atom and undeath provided. seems to reliably find a collision in under a minute on my box.

http://bindshell.nl/pub/md5substr_mt.c


Code:
epixoip@db:~$ ./md5substr cafebabe
Using 16 threads.
Elapsed: 38s  Progress: 3227859000/377149515625 (0.9%),  Speed: 84.9 M/s
cafebabe:t,gr>N

epixoip@db:~$ ./md5substr deadfa11
Using 16 threads.
Elapsed: 40s  Progress: 3397629000/377149515625 (0.9%),  Speed: 84.9 M/s
deadfa11:G,vzY;

epixoip@db:~$ ./md5substr deadbabe
Using 16 threads.
Elapsed: 32s  Progress: 2718719000/377149515625 (0.7%),  Speed: 85.0 M/s
deadbabe:=+y51e

epixoip@db:~$ ./md5substr ba5eba11
Using 16 threads.
Elapsed: 33s  Progress: 2803169000/377149515625 (0.7%),  Speed: 84.9 M/s
ba5eba11:),;~u`

epixoip@db:~$ ./md5substr aaaaaaaa
Using 16 threads.
Elapsed: 20s  Progress: 1698384000/377149515625 (0.5%),  Speed: 84.9 M/s
aaaaaaaa:8*pU]]
#13
Stop abusing these poor little md5s! :'(
#14
no way, this is way too much fun! Smile what i want now is for someone to one-up me and post an even faster version.
#15
Oh yeah, thats the spirit!! Smile
#16
Worked on this a little bit more and came up with another version that is ~ 45% faster, still without using SIMD.

http://bindshell.nl/pub/md5substr_mt2.c

Code:
epixoip@db:~$ ./md5substr2 aaaaaaaa
Using 16 threads.
Elapsed: 12s  Progress: 1482700000/377149515625 (0.4%),  Speed: 123.6 M/s
aaaaaaaa:8*pU]]

epixoip@db:~$ ./md5substr2 deadbeef
Using 16 threads.
Elapsed: 27s  Progress: 3336900000/377149515625 (0.9%),  Speed: 123.6 M/s
deadbeef:L,ud<P

epixoip@db:~$ ./md5substr2 deadface
Using 16 threads.
Elapsed: 26s  Progress: 3212500000/377149515625 (0.9%),  Speed: 123.6 M/s
deadface:V,l?,E

epixoip@db:~$ ./md5substr2 deadfa11
Using 16 threads.
Elapsed: 27s  Progress: 3335700000/377149515625 (0.9%),  Speed: 123.5 M/s
deadfa11:G,vzY;

epixoip@db:~$ ./md5substr2 cafebabe
Using 16 threads.
Elapsed: 26s  Progress: 3211900000/377149515625 (0.9%),  Speed: 123.5 M/s
cafebabe:t,gr>N

epixoip@db:~$ ./md5substr2 ffffffff
Using 16 threads.
Elapsed: 32s  Progress: 3953500000/377149515625 (1.0%),  Speed: 123.5 M/s
ffffffff:e-\1Go
#17
All right gents, here's a SIMD-accelerated version that uses SSE2 and, if applicable, XOP. It's ~ 350% faster than the code posted above.

http://bindshell.nl/pub/md5substr_simd.c

I used an unconventional interleaving technique (interleaving each step, rather than each operation) which ended up being a bit faster than current implementations.

On an FX-4100 the XOP code is ~240% faster than hashcat 0.42, and ~1.2% faster than John the Ripper.

On a Xeon X7350, the SSE2 code is ~260% faster than hashcat 0.42, and ~1.1% faster than John the Ripper.

Code:
epixoip@db:~$ ./md5substr aaaaaaaa
Using 16 threads, 12x SSE2
Elapsed: 3s  Progress: 1237332096/377149515625 (0.3%),  Speed: 426.67 M/s virt, 412.44 M/s real
aaaaaaaa:8*pU]]

epixoip@db:~$ ./md5substr deadbeef
Using 16 threads, 12x SSE2
Elapsed: 8s  Progress: 3327996672/377149515625 (0.9%),  Speed: 426.67 M/s virt, 416.00 M/s real
deadbeef:L,ud<P

epixoip@db:~$ ./md5substr deadface
Using 16 threads, 12x SSE2
Elapsed: 7s  Progress: 2901330432/377149515625 (0.8%),  Speed: 426.67 M/s virt, 414.48 M/s real
deadface:V,l?,E

epixoip@db:~$ ./md5substr deadfa11
Using 16 threads, 12x SSE2
Elapsed: 8s  Progress: 3327996672/377149515625 (0.9%),  Speed: 426.67 M/s virt, 416.00 M/s real
deadfa11:G,vzY;

epixoip@db:~$ ./md5substr cafebabe
Using 16 threads, 12x SSE2
Elapsed: 7s  Progress: 2901330432/377149515625 (0.8%),  Speed: 426.67 M/s virt, 414.48 M/s real
cafebabe:t,gr>N

epixoip@db:~$ ./md5substr ffffffff
Using 16 threads, 12x SSE2
Elapsed: 9s  Progress: 3754662912/377149515625 (1.0%),  Speed: 426.67 M/s virt, 417.18 M/s real
ffffffff:e-\1Go
#18
Wow, I never knew you were little md5s fetish.

:P

Btw, impressive work though I don't see the need to all this speed in such job.
Unless you're really... ahem.. a little md5s fetish.
#19
well, the md5 implementation itself is not specific to cracking substr() hashes. the only part of this program that is specific to cracking the substr() hashes is the hash comparison. so the bulk of this code can be reused just about anywhere that md5 is used.
#20
I am attempting to crack a substr(md5($pass),12,20) and came across this thread after a google search as Hashcat does not support it.
I have ran the script by atom with the windows command
oclHashcat-1.37\maskprocessor-0.73>mp64.exe ?d?d?d?d?d?d?d?d?d?d | subhash.c substring.txt deadbeef and although it found nothing it appeared to work (run without errors) my questions as I am unfamiliar with this hash is
1. Do I have to change anything in the script as this was originally written for the original post of
substr(md5(password), 0, 8)`
2. What exactly is the mask ?d?d etc. doing - is it passing digits to the hash text file or is it apply places/lengths to the possible pass.
3. What is the purpose of the aaaaaaaa and deadbeef at the end of the command line
4. Tried to run Undeaths script but got the error stdin = sys.stdin.detach() ttributeError: 'file' object has no attribute 'detach'
5. The link to epixoip's script is dead so was unable to try that - if someone could upload it again I will be grateful.